Mar 302023
 

In a previous article (here), we have seen how to export a certificate and its non exportable key using a rather complex method (decrypting DPAPI).

Here below how to do it the easy way (by hooking a rsaenh.dll api) :

cert –export –store=root –subject= »Root Authority » –force

-> you get a cert.pfx containing both the certificate and the private key.

Import and enjoy !

Mar 262023
 

You want to export a certificate but its private key is marked as non exportable.

Lets export it using the hard way (a future article with demonstrate an easier method).

To realize this operation we will need:

-CAPI-FPC (here) : using windows crypto API’s (aka CAPI)

-NTHASH-FPC (here) : a tool to handle hashes and ciphers with a particular focus on windows secrets and lateral movement

-TinySSL (here) : a tool based on OpenSSL library to deal with various formats for X.509 certificates, CSRs, and cryptographic keys

1/ Identify the cert sha1 hash and save it from registry to a cer file
cert –enumcerts –store=root
->9EC82D0810FACD26CF5DE736C4F17228DDF49BBC is the cert sha1 hash

->d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 is the cert unique name

cert –dumpcert –store=root –hash=9EC82D0810FACD26CF5DE736C4F17228DDF49BBC
->you get a blob.cer i.e your cert (without the private key)

Lets convert this binary cert (DER format) to a PEM format:

cert.exe –der2pem –filename=blob.cer

->you get a blob.crt

2/ Decode dpapi blob located in C:\Users\%username%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05

->this is your encrypted (with a masterkey) DPAPI blob

Note : you can skip this test as the blob will be decrypted in step 4.

3/ Decrypt masterkey’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Protect\%SID%
nthash-win64 /decodemks /binary:c:\Users\erwan\AppData\Roaming\Microsoft\Protect\S-1-5-21-2427513087-2265021005-1965656450-1001 /password:your-sha1-hash-password /save

->masterkey’s will be saved to masterkeys.ini

4/ Decrypt dpapi blob with masterkey (from masterkeys.ini)
nthash-win64 /decodeblob /binary:d673096e4c9c08d6fc03c64c44117795_e65f292c-6dbf-47f8-b70f-c52e116acc05 /save

->you get a decoded.bin
This is your decrypted DPAPI blob i.e your decrypted rsa (private) key.

5/ Convert the decrypted rsa key to a PEM format

cert.exe –rsa2pem –filename=decoded.bin

->you get a decoded.pem

Note, we could have done it in 2 steps : rsa2pvk and then pvk2pem.

6/ Create a pfx with your certificate and private key

Optionally : you can check that your certificate and private key share the same modulus.

tinyssl –print_private –filename=decoded.pem

tinyssl –print_cert –filename=blob.crt

Finally, create your pfx certificate.

tinyssl –pemtop12 –privatekey=decoded.pem –cert=blob.crt

->you get a cert.pfx, ready to import.

Enjoy!

Jan 222023
 

You have a running ldap server but you want to be able to use ssl.

For this you need:

1-A root CA (certificate authority) installed on the domain controller/ldap server in the computer « root » store

2-A CSR (certificate service request) triggered by the domain controller/ldap server

3-A CSR signed by your root ca thus giving you a certificate to be installed on the domain controller/ldap server in the computer « my » store

4-The root CA installed in the client/user certificate store

Step 1

openssl genrsa -des3 -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « trusted root CA » and import your ca.crt.

Step 2

With notepad, create the below request.inf file (adapt the CN with your server CN).

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

Generate your csr with certreq -new request.inf server.csr.

Step 3

Sign your csr :

openssl x509 -req -days 3650 -in request.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

launch mmc.exe, load the certificate snap-in, select « computer account », choose the « MY » store and import your server.crt.

Reboot your DC : your ldap ssl server is now operational.

Edit :

1/

It appears it is better to put the cert in the NT Directory Services (NTDS) store (choose the NTSD service rather than « computer account » in the MMC snap-in).

Indeed, most probably your computer account will have more than one cert in its trust store and NTDS will then pick randomly one of them.

2/

Although I did have time to replicate the experiment, it may be that you have to select 2 roles (versus all) : serveur authentication and client authentication.

More here.

Step 4

On your user/client, launch mmc.exe, load the certificate snap-in, select « user account », choose the « trusted root CA » store and import your ca.crt to allow your user/client to validate the server cert.